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Abstract. We introduce what -if some kind of group action exists- 
is a truly (information-theoretically) safe cryptographic communication 
system: a protocol which provides zero information to any passive ad- 
versary having full access to the channel. 



1. The false algorithm, simple version 

Assume Alice wants to share a secret s, which we assume for simphcity"^ 
is a non-zero rational number s = p/q G Q*. For example, s could be the 
key of a symmetric key protocol, a password or even a complete message 
such as a pair of coordinates in a map or a time. 

Alice picks another random rational t and calls v = {s,t) to the corre- 
sponding point in Q^. 

She chooses a random transformation A € GL2(Q) in the linear group of 
and computes vi = v ■ A. Alice sends vi to Bob. 

Bob picks another random transformation B € G'L2(Q) and computes 
V2 = vi ■ B, and sends V2 back to Alice. Notice that vi gives no information 
to Bob or an eavesdropper (Eve) about s, because t is random and vi can 
be any point in Q^, depending on t and A, which are both unknown to both 
Bob and Eve. For a similar reason, the knowledge of vi and V2 gives no 
useful information about B. 

Alice now computes V3 = V2 • A~^ and sends ^3 back to Bob. Again, the 
knowledge of vi, V2 and ^3 is useless in order to retrieve the original v. 

Finally, Bob computes = V3 ■ B~^ . 

If only = v...\ 

2. The protocol "would be" safe 

Let us assume the above algorithm ends up with V4 = v and let us prove 
its safeness under this condition. 

Theorem 1. The above method of communication is information-theoretically 
safe, assuming v, A and B (and their inverses, obviously) are kept secret. 
That is, the knowledge of the whole communication gives no information on 
the message. 

Proof. We only need to show that an eavesdropper which knows all the 
communication has no clue about what s may be. In other words, it is 
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-'^This assumption might be relaxed, using an infinite set is for exposition reasons, see 
section |3 
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enough to show that for any rational s', there exist another rational number 
t' and matrices A', B' such that the communication between Alice and Bob 
is the same (i.e. vi,V2 and v^). But this is trivial. □ 

Remark: The algorithm described above obviously does not work be- 
cause GL2(Q) is non-commutative (in general, the linear group is noncom- 
mutative for dimension greater than 1). 

3. What is needed? 

A natural question comes to mind: what are the necessary conditions for 
a group action on a set for the above algorithm to provide a valid system? 
What we used above is: 

(1) A set S (either finite or infinite) (the rational plane in the example). 

(2) An action G x 5*^ ^ 5^ of a commutative group G on 5^ (the group of 
movements of the plane in the example, which is not commutative). 
This condition means that after the above protocol is carried out 
completely, one always gets the original message. 

(3) Conditions on the action. At least the following ones, but more 
might be needed: 

• Given (s, t) G 5^ and g £ G, for any s' £ S there are t' £ S and 
g' eG such that g ■ {s,t) = g' ■ {s',t'). 

• For any {s, t)inS'^ and A,B £ G, there are (s', t') and A', B' e G 
for which the sequences in the above algorithm are the same: 

[(s, t)-A, (s, t) ■ A- B,{s,t) ■ A- B ■ A-^] = 

lis', t') ■ A', is', t') ■ A' ■ B', is', t') -A'-B'- {Ar\ 
In fact, we do not need exactly an action of G on S"^. 

Definition 1. Let G he a (not necessarily commutative) group acting on a 
set T. We say that t £ T is comm-fixed if g • t = t for any g € Comm{G) 
(the commutator of G). A subset S C T is comm-fixed if any s £ S is 
comm-fixed. 

It is clear that a subset S" C T is comm-fixed if and only if, for any s G 5 
and any g,h G G, one has s = h^^g^^hgs. From this, it follows that we 
do not need exactly an action of a commutative group on S"^ but an action 
of a (not necessarily commutative) group on a set X D S"^ for which S"^ is 
comm-fixed and which satisfies, at least, condition ^ above. 

We would like to prove two results; the first one seems relatively easy, 
while we have no clue (but are somewhat pessimistic) about the second one: 

Conjecture 1. With the above conditions on X, S'^ and G, the protocol 
described in section^ is information-theoretically safe. 

Question 1. Do there exist A", S and a group G acting on X for which 
S'^ C X is comm-fixed and such that the stated conditions hold? 

Remark: it is obvious that can be changed by any set of the same 
cardinal. 
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